Deploy the Splunk Add-on for Splunk UBA
Determine where and how to install this add-on in your distributed deployment using the information on this page.
Note: The Splunk Add-on for UBA is not available for download on Splunkbase. The add-on is installed by default with Splunk Enterprise Security (ES). See How do I obtain the Splunk Add-on for Splunk UBA?
Where to install this add-on
Depending on your environment, your preferences, and the requirements of the add-on, you might need to install the add-on in multiple places.
To deploy it alongside Splunk Enterprise Security, see Deploy technology add-ons to Splunk Enterprise Security in the Splunk Enterprise Security Installation and Upgrade Manual.
| Splunk instance type | Supported | Required | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | This add-on is installed on the search head when you install Enterprise Security. |
| Indexers | Yes | Yes | This add-on includes two indexes and index-time configurations. |
| Heavy Forwarders | Yes | No | All forwarder types are supported. |
| Universal Forwarders | Yes | No | All forwarder types are supported. |
Distributed deployment feature compatibility
This table describes the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Details |
|---|---|---|
| Search Head Clusters | Yes | Changes made during setup must be manually deployed. |
| Indexer Clusters | Yes | This add-on contains indexes. |
| Deployment Server | Yes | Supported for deploying the configured add-on to multiple nodes. |